Method and system architecture for secure communication between two entities connected to an internet network comprising a wireless transmission segment

ABSTRACT

A method for providing secure communication between first and second systems connected to the internet includes assigning respective permanent internet addresses to first and second entities associated with the systems, making at least one application located in a server of said second system accessible to the first entity, and encrypting data exchanged between the first and second entities in conformity with a desired security protocol. The first and second systems each include a communication protocol stack having at least one layer which allows for the encrypting step to be performed. Through this method, a user in the first system can directly address an application hosted by the second system without using or even knowing the name of the host system. The entity in the first system may be a wireless unit operating, for example, in GSM and the entity in the second system may be a server in an intranet. To enable conversion to take place between the wireless application and internet standards, the server in the second system is preferably equipped with WAP and WEB servers and associated conversion units.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention concerns a method for secure communication between twoentities connected to an internet network.

It applies more specifically to communications via an internet networkcomprising a wireless transmission segment.

The invention also concerns an architecture of a communication systemfor implementing this method.

Within the context of the invention, the term “entity” should beunderstood in its most general sense. It includes both hardware orsoftware computer resources and, according to a characteristic of theinvention that will be explained below, human beings, using any of thecomponents of the communication system.

The term “internet” should also be understood in its most general sense.It includes, in addition to the Internet per se, private enterprise orsimilar networks, known as “intranets,” and the networks that extendthem to the outside, known as “extranets,” and generally any network inwhich data is exchanged using an Internet protocol. However, toillustrate the concepts without in any way limiting the scope of theinvention, hereinafter we will consider the case of the Internet per se,unless otherwise indicated.

2. Description of the Related Art

Normally, communications in networks of any nature take place inconformity with protocols that conform to standards comprising severalsuperposed software layers.

The architecture of communication networks is described by variouslogical layers. For example, the “OSI” (“Open Systems Interconnection”)standard defined by the “ISO” comprises seven layers, which run from theso-called lower layers (for example the so-called “physical” layer thatsupports physical transmission) to the so-called upper layers (forexample the so-called “application” layer), passing through intermediatelayers, including the so-called “transport” layer. A data layer offersits services to the layer that is immediately above it and requestsother services from the layer immediately below it, via appropriateinterfaces. The layers communicate by means of primitives. They can alsocommunicate with layers on the same level. In certain architectures, oneof these layers or another may be nonexistent.

In the case of an internet network, communications take place inconformity with protocols that are specific to this type ofcommunication, but that also comprise several software layers. There arefive layers, and more precisely, going from the top layer to the bottomlayer: the application layer (HTTP, “ftp”, “e-mail”, etc.), thetransport layer (“TCP”), the network address layer (“IP”), the data linklayer (“PPP”, “Slip”, etc.) and the physical layer. The communicationprotocol is chosen based on the application specifically envisioned:interrogation of “web” pages (HTTP), file transfers (“FTP”), electronicmail (or “e-mail”), forums or “news,” etc.

Overall, an internet network comprises, to begin with, one or moreactual data transmission networks, possibly divided into sub-networks.These networks specifically include channels of physical links, whichconstitute the lowest level. Communications can be handled by relativelylow-speed links i.e., telephone links, or high or very high-speed linksi.e., fiber optics, microwave systems, or satellite links, particularlyfor the backbone routes. Various systems, subsystems, machines and/orterminals are connected to this network or networks. The connection maybe direct (using a modem, for example) or indirect, through a so-called“fire-wall” system, a “proxy”, or through the computer system of anInternet service provider (or “ISP”).

The range of connected entities, in the prior art, can run fromlarge-scale computers (for example of the so-called “main-frame” type)to so-called “low power” terminals, i.e. having few computer resourcesof their own, for example dedicated terminals, or even simple smart cardreading terminals. These entities, which may be referred to genericallyas “systems,” have an operating system (or “OS”), which may or may notbe proprietary. For example, there is the “UNIX” (registered trademark)operating system, frequently used in connection with applicationsrelated to the Internet.

Generally, communications between connected entities take place in aso-called client-server mode and implement the so-called object-orientedtechnology. A server may be defined as being a software program, anapplication or any software entity that renders a given service (forexample the transfer of a requested file). Such an entity is hosted bysystems connected to the Internet, which are called “servers”. A“client” entity may be defined as being the counterpart of the “server”entity, i.e., the entity requesting a given service. However, there isnothing to prevent a system or an application from being both “client”and “server.”

As indicated above, one of the software communication layers isconstituted by the so-called “IP” address layer. It is in fact necessaryfor a client, for example, to be able to selectively address a server,via the Internet. For this reason, Internet technology implements theconcept known as a “URL” (for “Uniform Resource Locator”), which uses anaddress known as an “IP” (for “Internet Protocol”) address. The Internetis organized very hierarchically into domains and subdomains, whichthemselves correspond to networks and subnetworks, managed by electronicdirectory systems called “DNS” (for “Domain Name Servers”). Thestructure of the IP address reflects this hierarchical organization. Itcomprises an IP address per se, itself comprising a destinationsubnetwork address and an address of an entity within this subnetwork.It is associated with a port number that makes it possible to address aserver inside the aforementioned entity.

For a single entity connected to the Internet, the IP addresses can bepermanent or can vary over time. For example, systems connected to theInternet via a service provider are generally assigned a differentaddress at the start of each session.

Recently, a certain number of needs have arisen.

A first need has to do with mobility. Users may be said to be“mobile.”These users have mobile terminals, such as portablemicrocomputers, and they want to be able to connect at any point in thenetwork without excessive restrictions. In particular, migration fromone domain to another should be transparent for the user. He should alsobe able to preserve his usual environment, for example to retain accessto a list of services to which he has subscribed, for free or otherwise,to an address list, etc. The data that characterize this environment canbe stored in a remote server that the subscriber can access. He can alsotransport them with him, for example in the memory of a smart card.

More recently, it has been proposed to connect mobile telephones, eitheralone or in combination with organizer type devices or the like,directly to the Internet. This connection takes place physically via awireless transmission network, such as the network in the “Global Systemfor Mobile communications” (“GSM”) standard. This network is itselfconnected to the Internet via specialized “gateways.”

This arrangement is very advantageous, because it allows for extrememobility. It is no longer necessary to use fixed points to connect tothe Internet. A priori, the only limit on this mobility results from theextent of the territorial coverage of a given operator's “GSM” network.

However, there are other types of limitations due to this mode oftransmission.

A first limitation is related to bandwidth In the current state of theart, the transmission speed is very low: 9600 bps. Even in the case of asimple conventional wired telephone line, the V90 standard, for example,makes it possible to obtain a maximum speed of 56000 bps. It is possibleto obtain much higher speeds if using ADSL technology (470 kbps to 1Mbps). In addition, links of the RNIS type by cable or satellite allowhigh or very high speeds. New technologies are currently being developedor installed, such as GPRS (“Global Packet Radio Service”) or UTMS(“Universal Mobile Telecommunication Service”) and will allow highertransmission speeds, but they are not yet fully operational. At the veryleast, the GSM network in its current version will last for anindeterminate amount of time, since modifications and/or completechanges of equipment will be necessary, particularly for the so-called“G3” version of GSM.

A second limitation, a consequence of the miniaturization of wirelesscommunication devices, is due to the reduced, and often extremelyreduced, area of the display screens of these devices.

It follows that Internet protocols, especially where the web itself isconcerned (HTTP protocol) are not well adapted. In particular, thelanguage currently used for these applications is an interpreted pagedescription language called HTML (“Hyper Text Markup Language”); thislanguage is not suitable for the aforementioned types of screens.

Also, a new protocol has been proposed, derived from Internet protocolsof the proprietary type known as WAP, for “Wireless ApplicationProtocol”. This protocol allows mobile telephones to access e-mail, webor multimedia (video for example) applications, while adapting to thespecific characteristics of these devices and of the communicationnetwork to which they are connected, (for example the GSM network).

Although it allows access to the above applications, this solution isnot without its drawbacks.

The Internet sites must be adapted, since it is not possible to displayon the screen of a mobile telephone, which moreover is usuallymonochrome, what can be displayed on a screen of larger dimensions andhigher definition, like that of a microcomputer. A specific language hasbeen developed for these uses: WML (“WAP Markup Language”). It istherefore necessary to use a specific browser.

Most of the services offered by telephony operators using WAP technologyconcern services for accessing stock market quotations, weather reports,schedules for trains or other means of transport, schedules for variousshows, etc., or for displaying simple videograms or games that are notvery resource-hungry.

However, using this solution for e-commerce or banking applications, forexample, poses problems with respect to security, as will be shownbelow.

In fact, another need that has arisen in many fields of application isthe level of security offered by the system during transmissions betweentwo entities.

In the context of the invention, the term “security” should beunderstood in a general sense. It concerns, first of all,confidentiality: certain data are said to be sensitive, and should notbe able to be accessed by unauthorized entities, whether they bephysical persons or software applications. For this reason, variousencryption techniques are commonly used. Security also concerns theproblems of authentication between parties, which are even more acutewhen these parties can be mobile on the Internet. Authentication can beachieved by means of identification data (passwords) and/or by using theso-called certificate technique, in association with encryption keys,for example stored in a smart card. Security also concerns anythinghaving to do with the integrity of the data transmitted. It must bepossible to ensure that the data received has not been subject toundesirable modifications, whether accidental (failure of transmissioncircuits, for example) or intentional (maliciousness, etc.). To do this,redundancy techniques and/or electronic signature techniques (integritylocking) can be implemented.

For the “conventional” internet network, one of the most commonly usedsecurity techniques uses the technology known as SSL/TLS (“Secure SocketLayer/Transport Layer Security”). However, this technology provides onlya minimal level of security. A higher level, already made mandatory bythe so-called “IPV6” version of the Internet protocols (i.e., version 6,the version used currently being primarily version 4 or “IPV4”), isprovided by the security protocol known as “IPSec”. It provides astandardized level of security that allows end-to-end protection, at thenetwork level.

In the case of WAP technology, a security layer having a functionalitysimilar to the aforementioned SSL/TLS layer has been proposed, which canbe used for wireless transmissions and is known as WTLS (“WirelessTransport Layer Security”). This technology, which is optional, adds asubstantial level of complexity and does not offer a high level ofsecurity. Also, since as mentioned, the majority of the services offereddo not require any particular security measures, the operators oftelephone networks are not very inclined to implement it.

Moreover, and above all, as indicated, there is generally a gateway thatserves as the interface between the Internet and the wirelesstransmission network.

FIG. 1, located at the end of the present specification, schematicallyillustrates an architecture, according to the prior art, of acommunication system 1 between a user U₁ equipped with a mobile terminalof the WAP type 10 (for example a mobile telephone), connected to aradio transmission network RTT (for example in the GSM or GPRSstandard), and a computer device 12, connected to the Internet RI, forexample a remote server. The mobile terminal 10 has the role of a clientvis-à-vis the server 12. The network RTT forms the “aerial” segment ofthe mobile communication network, a segment linked to a second segmentRT, called a PLM (“Public Land Mobile Network”), viatransmitting/receiving beacons (not represented) that define cells.

This technology is well known to one skilled in the art and does notneed to be described further. For a non-limiting example, it may bebeneficial to refer to the article by Jean CELLMER entitled “Réseauxcellulaires, Système GSM” in “Techniques de l'Ingénieur”, Volume TE7364, November 1999, pages 1 through 23.

The Internet RI is interconnected with the segment RT.

The land and aerial RTT segments are interconnected by a gateway 11.Within the context of WAP technology, this gateway 11 generally playsthe role of an interface that allows two-way WAP conversions to or fromHTTP. It specifically comprises a WAP protocol logical layer 110 a, andan HTTP protocol logical layer 111 a, supplemented by an SLL/TLSsecurity layer 111 b on the HTTP end, and a WTLS security layer 110 b(optional) on the WAP end.

Lastly, the gateway 11 comprises an interface 113 between the two seriesof logical layers for performing the aforementioned two-way conversion.To be precise, this interface 113 between the SSL/TLS 111 b and WTSL 110b security protocols introduces a security loophole, thus creating anon-secure area that makes the so-called “WAP gateway” concept justdescribed practically incompatible with e-commerce and bankingapplications, and in general, with any so-called sensitive applicationrequiring a high level of security.

On the other hand, looking at a workstation 13, or any similar deviceunder the control of a user U₂, connected directly to the Internet RI,the communication protocols used between this workstation 13 and theserver 12 are homogeneous. There is no security loophole intrinsic tothe system. The same would be true if the workstation 13 were connectedto the server 12 via an intranet or an extranet.

SUMMARY OF THE INVENTION

The object of the invention is to meet the needs that have arisen forcommunications via an internet network, whether it be a conventionaltype of network or a network using WAP technology, while eliminating thedrawbacks of the devices of the prior art, some of which have beenmentioned.

To do this, according to a first characteristic, the aforementionedso-called “WAP gateway” concept is entirely eliminated, which makes itpossible to eliminate the security loophole found at the level of theWEB/WAP interface. The WAP/WEB conversion is performed directly at theserver level.

According to a second characteristic, each of the entities that must beplaced in communication is assigned a so-called permanent address.

According to another characteristic, an end-to-end security mechanism isadopted at the network level, which can be used for any Internet, web,WAP, or other type of application, and which is programmeddeclaratively, thus providing complete transparency.

Because of this transparency, one of the advantageous consequences ofthe method according to the invention is that it is not necessary tore-write existing applications in order to protect them with thistechnique.

In a preferred variant of embodiment of the invention, the mechanismadopted is the aforementioned IPSec protocol.

While the method according to the invention is particularly advantageouswhen one of the segments of the communication network is constituted bya wireless communication network involving the utilization of WAPtechnology, it should be clear that it also applies to a homogeneousinternet network.

Hence, the main subject of the invention is a method for securecommunication between first and second entities interconnected via aninternet network, said entities being associated with first and secondcomputer data processing systems within a set of distributed systemsconnected to said internet network, characterized in that said first andsecond entities are constituted by a piece of software hosted in one ofsaid systems connected to said internet network and/or a user of saidconnected systems, in that said first system operates in the so-calledclient mode and said second system operates in the so-called servermode, in that it includes a step for assigning, in said set of systems,a permanent Internet address of the so-called IP type to each of saidinterconnected entities, in that installed in said second system formingthe server is at least one piece of software forming a server andoffering the services of at least one application to said first entity,and in that installed in said first and second systems is acommunication protocol stack that includes at least one layer for theexecution of a step for encrypting, in end-to-end mode in conformitywith a given security protocol, data exchanged between saidinterconnected entities.

Another subject of the invention is a communication architecture in aset of distributed systems for implementing the method.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described in greater detail in reference tothe attached drawings, in which:

FIG. 1 schematically illustrates an exemplary embodiment of acommunication system according to the prior art, comprising an internetnetwork and a wireless communication network using WAP technology;

FIG. 2 schematically illustrates an exemplary architecture of a systemfor communication via an internet network and a wireless communicationnetwork using WAP technology, according to a preferred embodiment of theinvention;

FIGS. 3 and 4 illustrates two variants of the configuration of a serversystem according to the invention;

FIGS. 5 and 6 illustrate a system architecture for directly addressing asoftware application hosted by a system;

FIG. 7 illustrates in greater detail the interconnection of two entitiesin the system of FIG. 2;

FIG. 8 schematically illustrates a secure link of the so-called “tunnel”type obtained by the method according to the invention; and

FIG. 9 illustrates an exemplary architecture of a system for securecommunication via an internet network for a merchant application inso-called WAP technology.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, without in any way limiting the scope of the invention, wewill stay within the context of the preferred application of theinvention unless otherwise indicated, i.e., within the context of aso-called hybrid communication system comprising an internet network,and possibly an intranet, and a mobile communication network comprisingan aerial segment and using WAP technology.

FIG. 2 schematically illustrates an exemplary system architecture,hereinafter referenced 2, for implementing the method according to theinvention. The elements in common with the preceding figure have thesame references, and will be re-described only as necessary.

The system 2 of the example in FIG. 2, considered as a whole, comprises,to begin with, a mobile terminal 20, under the control of a user U′₁(playing a role similar to the terminal 10 of FIG. 1), and a mobilestation 25, under the control of a user U′₃, both of which are connectedto the radio transmission network RTT. The terminal 20, assumed to be amobile telephone, is connected directly to the network RTT.

The mobile station 25, for example a microcomputer, is connected to thisnetwork RTT via a terminal 26, which can also be constituted by a mobiletelephone. The latter is connected to the mobile station 25 via a seriallink or an infrared link, for example.

As above, the network RTT is connected to the land network RT via agateway 21. However, the latter no longer plays the role of a WAP-HTTPconversion interface (the aforementioned “WAP gateway”), according toone of the aspects of the invention. It makes it possible, in anintrinsically conventional way, to perform the electrical and logicalconversions required to switch from a land-based data transmission modeto a radio transmission mode, for example in the GSM standard.

The land-based network RT is connected to the Internet RI, the latter,in the example of FIG. 2, being connected to an intranet it, via anaccess server 22. A server 3 is connected to the intranet it.

Also represented is a workstation 24 connected to the intranet it, forexample a microcomputer under the control of a user U′₄, and a secondworkstation 27 connected directly to the Internet RI, for example amicrocomputer under the control of a user U′₂ (playing a role similar tostation 13 in FIG. 1).

In reality, a much larger number of users is connected to the networksof the system 2, via various types of machines or systems. However, thesystem 2 of FIG. 2 makes it possible to illustrate the main types ofdevices encountered in networks in which the standard Internet protocolsand WAP coexist. It is also possible to provide so-called “firewall”systems (not represented), for example included in the access server 22,which isolate the intranet it from the outside world, i.e. from theInternet RI.

According to one characteristic, also intrinsically common to the priorart, all or some of the connected machines or systems can be mobile onthe network. The other users must be able to transparently address themachines that have migrated. Also, at least in the aforementioned IPV6version, a device 23, generally known as a “Home agent”, is provided, inthis case connected to the intranet it, thus making it possible tohandle this mobility. To do this, a protocol called “Mobile IP” is used.It makes it possible to correlate a temporary address assigned to aconnected system with a permanent address assigned to the entity that isassociated with it. A user wishing to address the mobile system alwaysmanipulates only this permanent address. The aforementioned Mobile IPprotocol makes it possible to provide macromobility. This is the case,for example, when one changes GPRS network operators.

This set constitutes a distributed system.

Up to this point, except for the structure of the gateway 21, which nolonger serves as an interface between the WAP and HTTP protocols, thegeneral architecture of the system 2 just described is intrinsicallycommon to an architecture according to the prior art (like that of FIG.1).

According to a first characteristic specific to the invention, whichwill be described in connection with FIGS. 3 and 4, the architecture ofthe servers 3 is modified in such a way that conversions to theapplication interface protocols of the web servers are performed insidethe latter, and no longer at the level of the gateway 21, in the form ofWAP/HTTP communication protocol conversions. The server 3 thereforehosts a WAP gateway with a web server application interface adapter.This modification allows an end-to-end protection of the transmissionsthat is transparent vis-à-vis the protocols used, be they HHTP, WAP orother protocols (transmissions in data packet mode), and that no longerhas a security loophole as in the prior art, by eliminating the WAPgateway function. Lastly, it makes it possible not to use the WTLSsecurity protocol, which is complex to implement and offers only a lowlevel of security. In FIG. 3, it is assumed that the server 3 comprisesboth WAP applications, with the references 36 a and 36 b, and webapplications, with the references 37 a and 37 b. According to one of theaspects of the invention, a dedicated WAP server 30 and a dedicated webserver 31 are also provided, installed in the server 3. These twoservers 30 and 31, are capable of selectively recognizing requests inthe WAP protocol and those in the web protocol, respectively. Thisselection is made via the particular configurations of the receivedmessages belonging to either of these protocols. The requests arereceived directly from the Internet RI, or indirectly through anintranet ii (FIG. 2), via conventional elements (not represented) suchas a modem, etc., and standardized communication layers (also notrepresented).

According to a first variant of the invention, illustrated by FIG. 3, amodule 32 is interposed between the WAP server 30 and “APIs,” orapplication interface protocols, of the web server type 33. This module32, which can be constituted by a piece of software, is an interfaceadapter that allows the methods for accessing WAP applications to be thesame as the methods for accessing web applications with web servers.

The applications 36 a-36 b and 37 a-37 b can be constituted by pageswritten in the WLM et HTML languages, respectively.

As is well known, a certain number of techniques are used to write webapplications in “web server DOS”. These APIs can be the types known as“CGI” (for “Common Gate Interface,” which constitutes a gateway),“NSAPI” (for Netscape Server API—registered trademark) or “ISAPI” (forInternet Server API). The application 37 b is of this type and istherefore interconnected directly with the module 33. More recently,so-called “container” APIs have been proposed, which constitute enginesknown as “Servlets” (registered trademark). The application 37 a is ofthis type and is interconnected with the module 33 via a module known asa “Web Container” 34 and specific APIs 35. For example, there is“Tomcat,” for servers of the “Apache” type in the “Linux” operatingsystem (all of these terms are registered trademarks).

According to the advantageous characteristic of the invention justdescribed, the WAP server 30 has an interface adapter 32 that allowsapplications written for WAP servers 30 to use both series of standardmechanisms mentioned above: the WAP applications 36 b et 36 arespectively.

A second variant of embodiment of the invention is illustrated by FIG.4. The server, here referenced 3′, comprises, as before, a WAP server 30and a web server 31, as well as the interface adapter module 32.However, the applications present in the server 3′ are solely web typeapplications, referenced 37 a and 37 d, a priori written in HTMLlanguage. The web applications 37 a and 37 b correspond to the webapplications with the same references in FIG. 3, the applications 37 cand 37 d being substituted for the WAP applications 36 a and 36 b,respectively. Additional modules 38 a and 38 b are inserted between themodules 33 and 34-35 and the applications 38 a and 38 b. The functiondevolved to these modules 38 a and 38 b is a two-way conversion betweenthe HTML and WML languages. Because of this, requests coming from theWAP server 30 are transmitted via the modules 33 or 34-35 to theconverters 38 a or 38 b, then to one of the web applications 37 c or 37d. On the other hand, requests coming from the web server 31 aretransmitted directly from the modules 33 or 34-35 to the webapplications 37 a or 37 b. The reverse routing is also true. Accordingto another characteristic of the method of the invention, a pennanentaddress is assigned to the users or client applications (for example U₁through U₄, FIG. 2), and to the server applications (for example 36 a-36b and/or 37 a-37, FIG. 3 or 4). Generally, a permanent address isassigned to entities that must be connected. This assigning can be donedynamically.

In the current internet networks, it is not possible to directly addressan application inside a system. In general, clients that address aremote entity managed by a system, service or application, invoke a nameservice. The latter requires the name of the network and the address ofthe system that contains the entity to be reached.

Also, the Applicant has proposed, in the French patent applicationpublished as FR 2 773 428 A1, a method that specifically makes itpossible to directly address a software application hosted by a systemconnected to an internet network. This method will be briefly summarizedbelow in reference to FIGS. 5 and 6.

This FIG. 5 schematically illustrates the method for addressing serversaccording to this patent application. For purposes of simplification, ithas been assumed that the set of systems referenced 2′ is contained insingle domain D₁, associated with a domain name server DNS₁. Also forpurposes of simplification, only one client Cl₁ has been represented.This could be, for example, the workstation 27 of FIG. 2. According toone of the characteristics of the addressing method, each real system(for example the servers 3 or 3′ in FIGS. 3 and 4) is comparable to avirtual network, referenced SVN₁ through SVN_(n), represented by brokenlines in FIG. 5, arbitrarily called “system virtual networks.”

According to a second characteristic of the addressing method, theservers, for example SV₁₁ through SV₁₃ in the system virtual network areeach associated with an individual IP address. It follows that eachserver, for example the server SV₁₁, i.e., an object or a softwareentity, is directly addressable by a client, for example the client Cl₁,and more generally, a client Cl_(X) if the system 2′ includes severalclients (x being arbitrary). In other words, a client no longer needs toknow the name of the system hosting the desired server. The directory ofthe server DNS₁ stores all the IP addresses of the servers, for exampleof the servers SV₁₁ through SV₁₃ of the system virtual network.

It should be noted that, in a multidomain system, all the servers of asystem virtual network belong to the same domain.

According to a third characteristic of the addressing method, the “real”systems or machines, which constitute terminal systems in a conventionalconfiguration, become intermediate systems. They constitute nodes of thevirtual networks SVN₁ through SVN_(n) and also nodes of the “real”network, i.e., the Internet or intranet subnetwork SR_(x). The systemsact as gateways that interconnect the nodes of the virtual networks SVN₁through SVN_(n) to the subnetwork SR_(x). Each system is also providedwith an IP address.

A system virtual network SVN₁ associated with a system S₁ can berepresented as illustrated by FIG. 6. It may be seen that a system S₁clearly constitutes a node for the network R_(x), and that it isassociated, seen from this network (i.e., from the outside), with afirst address IP₁, with @IP₁: X, X₁, Xbeing the prefix assigned to thesubnetwork SR_(x) and X₁ being the address of S₁ in the subnetworkSR_(x).

It is assumed that the system virtual network SVN_(y) is constituted bytwo servers referenced SV_(A) and SV_(B), which it hosts, and by thesystem S₁ per se. Seen from the system virtual network SVN₁, the systemS₁ is associated with a second address: IP₂, with @IP₂: Y, Y₁, Y beingthe prefix assigned to the system virtual network SVN_(y) and Y₁ beingthe address of S₁ in the network SVN_(y).

Likewise, the servers SV_(A) and SV_(B) are associated with twoaddresses, IP_(A) and IP_(B), respectively, with @IP_(A): Y, Y_(A), and@IP_(B): Y, Y_(B), Y_(A) and Y_(B) being the addresses of SV_(A) andSV_(B), respectively, in the network SVN_(y).

For a more detailed description of the addressing mechanism, it may bebeneficial to refer to the aforementioned French patent application,particularly to FIG. 4 of this application, which illustrates in detailthe architecture of a real system that allows the aforementionedaddressing.

In the context of the invention, the servers SV_(A) and SV_(B) can beconstituted by the WAP 30 and web 31 servers of FIG. 3, the real systemS₁ in this case being the server system 3.

The addressing method according to the aforementioned French patentapplication, like the method according to the invention, is compatiblewith the most commonly used Internet protocol today, i.e. the IPV4version. However, an address that conforms to this protocol includesonly four bytes, or 2³² theoretical addresses, in reality less due tothe hierarchical structure mentioned above. Because of the rapid growthof the Internet, projections into the future have shown that thislimited address space will quickly result in a shortage. Being able toaddress entities in a system directly, and according to one of thecharacteristics of the invention, to assign them permanent addresses,multiplies the number of distinct addresses needed. Also, in the contextof the invention, the IPV6 protocol is preferred for assigning permanentaddresses. The theoretical address space is thereby greatly increased:approximately 6.65×10²³ network addresses per square meter of thesurface of the earth.

As indicated above, according to a characteristic of the invention,transmissions are secured from end to end, in a way that is transparentvis-à-vis the various protocols: WAP, web or other. In a preferredembodiment, the protocol known as IPSec is adopted, which protocol ismandatory if the IPV6 version is used for transmissions through theInternet.

FIG. 7 schematically illustrates an exemplary architecture of atransmission system 2 according to the invention, which shows theinterconnection between two client type entities, referenced 4 and 4′,and a server type entity 3. The client 4 or 4′ is constituted by one ofthe devices represented in FIG. 2: 20, 24, 26 or 28. The two entities, 3and 4 or 4′, communicate with one another via one or more of thenetworks of FIG. 2 with the overall reference R. The entity 4 is aclient of the web type and the entity 4′ is a client of the WAP type.

It is assumed that the IPV4 protocol is used for the transmissions,which is generally the case at the present time. The addressing methodillustrated in reference to FIGS. 5 and 6 and the method according tothe invention are compatible with internet networks, as mentioned above.In the context of the invention, a protocol called “6-to-4” isimplemented, which converts the IPV6 addresses into IPV6-compatible IPV4addresses, and vice versa.

According to the method of the invention, in each physical system, acommunication protocol stack is implemented, successively comprising anIPV6 stack 390 or 44, which includes the IPSec security protocol 391 or45, and an IPV4 stack 392 or 46, respectively for the server 3 and theclients 4 or 4′. The IPV4 stacks 392 and 46 are interfaced with thenetwork R. The IPV6 stacks 390 and 44 are interfaced with the WAP 30 andweb 31 servers on the server 3 end, and with the WAP 42 and web 43clients on the client 4 end.

FIG. 7 also details the application layers of the client 4, which have ahigh degree of symmetry with those of the server 3. The clients 42 and42′ can be constituted by browsers. Security associations are definedbetween users or client applications and server applications.Advantageously, a “triplet” identifies each security association:

a destination address for the data packets;

a security protocol, preferably the protocol known as “ESP”(“Encapsulating Security Payload”), is used in tunnel mode; and

a security parameter index (or “SPI”).

It is clear that in the securing of the transmissions, because of thefact that the encryption and decryption is performed upstream from theIPV4 address layers in each entity to be placed in communication, thedesired transparent protection is obtained from end to end. It is clearthat there is no longer a security loophole during the routing of thedata, even if a segment of the network is of the wireless transmissiontype.

The schema equivalent to the architecture represented in FIG. 7 is thatillustrated by FIG. 8. The transmission channel can essentially berepresented symbolically in the form of a shielded cable or “tunnel”that links two entities, arbitrarily referenced E₁ and E₂, to which therespective permanent addresses @IP_(E1) and @IP_(E2) have been assigned.They are either IPV6 addresses or IPV6-compatible addresses if thenetwork is in the IPV4 protocol.

For example, a secure tunnel is established between a WAP terminal, forexample the mobile telephone 20 (FIG. 2) and the server 3 hosting a WAPapplication 33. Generally, the tunnel transports IPV6 communicationsfrom end to end between a user and an application.

Naturally, if the network R is in the IPV6 protocol, the addressconversions are no longer necessary and the IPV4 stacks 392 and 46 donot exist.

When the connected station is mobile, the protocol known as “mobileIPV6” is used. The mobile station is associated at all times with atemporary address that remains transparent for the users wishing toaddress the entity associated with this station. A dialog is initializedwith a device of the aforementioned “home agent” type (FIG. 2: 23). Thelatter establishes a correlation between the assigned permanent addressand the temporary address. This provision makes it possible to obtainwhat has been referred to above as “macromobility.”

The aforementioned dialog is secure. Preferably, the authenticationmechanism specific to IPSec is implemented as recommended by the “mobileIPV6” protocol.

Communications between users and applications are obtained with theimplementation of the following IPSec services, if they are selected:

authentication of the data source, including the authentication of theuser;

integrity; and

confidentiality.

More precisely, the authentication of the users is advantageously doneby means of the permanent address that is assigned to them. The usersare stored in an electronic directory. For example, the organizationknown as “ETF” (“Internet Engineering Task Force”) has proposed adirectory standard that can be qualified as “lightweight,” known as“LDAP” (“Lightweight Directory Access Protocol”). A subscriber profileand possible privileges are associated with the user. Since IPSec isused with the ESP mechanism in tunnel mode (FIG. 8), an authenticationof the information source (a permanent IPV6 address), in this case theidentification of the user, is present in each data packet andencrypted. In addition, the data source is authenticated, and in thiscase represents the user. This identification is used to build asecurity context, which is itself used by the application or, better, bythe container of the application, to perform an access control forauthorization controls.

To illustrate the concept, we will now describe an exemplaryarchitecture of a transmission system implementing the provisions of theinvention, adapted to a secure mobile merchant application, using asegment of a packet radio transmission network, for example of the GPRStype.

FIG. 9 schematically illustrates an architecture of this type,referenced 2″. The elements in common with the preceding figures havethe same references, and will be re-described only as necessary.

As before, the system 2″ overall comprises mobile terminals, only one ofwhich 20, under the control of the user U₁, is illustrated. This mobileterminal 20 is connected to the segment of the wireless network RTTthen, via the gateway 21 to the public global network RT, to theInternet RI. A server, for example like 3 in FIG. 3, hosting at leastone merchant application, for example the application 36 a, in WAPtechnology, is connected to the Internet via the intranet it and theaccess server 22. A web terminal 24 connected to the intranet it is alsorepresented. This terminal is similar to the station 24 of FIG. 2.

The address protocol and IPSec stacks (see FIG. 7) make it possible toassign IPV6 addresses and perform the operations required by the IPSecprotocol.

The architecture just described makes it possible to establish a logicallink lls between the user U₁ and the WAP merchant application 36 a thatis secure from end to end, despite the fact that it uses a wirelessnetwork segment.

Through the reading of the above, it is easy to see that the inventionachieves the stated objects.

It should be clear, however, that the invention is not limited to justthe exemplary embodiments explicitly described, particularly inconnection with FIGS. 2 through 9.

The applications of the invention are not limited to the field of“secure electronic commerce” alone. They also cover banking and medicalapplications, and more generally any application implementingcommunications that pass through an internet network, particularlywherein at least one segment is constituted by a wireless transmissionnetwork

While this invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, the preferred embodiments of the invention as set forthherein, are intended to be illustrative, not limiting. Various changesmay be made without departing from the true spirit and full scope of theinvention as set forth herein and defined in the claims.

1. A method for secure communication between first and second entitiesinterconnected via an internet network, said entities being associatedwith respective first and second processing systems connected to saidinternet network, said first system operating in client mode and saidsecond system operating in server mode, said method comprising:assigning respective permanent internet addresses to said first andsecond entities, making at least one application, located in said secondsystem, accessible to said first entity, receiving an applicationrequest at the second system, selectively recognizing said applicationrequest as belonging to one of a first and a second applicationinterface communication protocol, said first application interfacecommunication protocol associated with a first server of the secondsystem and said second application interface communication protocolassociated with a second server of the second system, providing saidapplication request recognized as belonging to the first applicationinterface communication protocol to the first server of the secondsystem, providing said application request recognized as belonging tothe second application interface communication protocol to the secondserver of the second system, converting, using a web server applicationinterface portion of the second server, said application requestrecognized as belonging to the second application interfacecommunication protocol to the first application interface communicationprotocol, encrypting data exchanged between said first and secondentities in conformity with a desired security protocol, wherein saidfirst and second systems include including a communication protocolstack having at least one layer which allows for said encrypting step tobe performed and said second entity hosting a WAP gateway utilizing theweb server application interface said second system is being configuredto communicate, via the web server application interface adapter,directly with a first type of WAP application and via a web containerand at least one specific application program interface with a servletWAP application, and performing a conversion to or from HTTP using a WAPgateway function included in the second system.
 2. A method according toclaim 1, wherein said permanent IP addresses assigned to said first andsecond entities conform to an IPV6 Internet address protocol.
 3. Amethod according to claim 2, wherein communications through saidinternet network take place in conformity with an IPV4 Internet addressprotocol, and wherein said method further comprises: executing, in atleast one of said first and second systems, an address conversion stepwhich includes converting said IPV4 internet address protocol to saidIPV6 internet address protocol.
 4. A method according to claim 1,wherein said encrypting step is performed in conformity with an IPSecprotocol in tunnel mode, in order to obtain secure data exchangesbetween said first and second entities, and wherein said IPSec protocolis used with an EPS mechanism for authenticating information sources. 5.A method according to claim 4, wherein said first entity is a user ofsaid first system, wherein said method further includes a step forauthenticating said user, and wherein said permanent IP address assignedto said first entity is used to identify said user.
 6. A methodaccording to claim 5, wherein communications through said network takeplace in data packet mode, and wherein said permanent IP addressidentifying said user is present in encrypted form in conformity withsaid IPSec protocol, in each of said data packets.
 7. A method accordingto claim 1, wherein said first system is connected to a wirelesstransmission segment, wherein communications between said first systemand said second system take place in conformity with a WAP protocol, andwherein said second system includes a WAP server and a unified interfacebetween said WAP server and at least one application, said at least oneapplication being located in said second system and being accessible bysaid first entity, and wherein said WAP server is integrated into saidsecond system as a web server.
 8. A method according to claim 7, whereinsaid second system includes an additional module for performing two-wayinterface adaptation of structures, which makes it possible to supportapplication interfaces used by web servers.
 9. A method according toclaim 7, wherein said first system includes a WAP browser.
 10. A methodaccording to claim 1, wherein said first system includes a mobilesystem, wherein said method further includes assigning to said firstsystem a temporary address, and initiating a dialog between said firstsystem and a home agent connected to said internet network to correlatesaid permanent address assigned to said first entity with said temporaryaddress, in conformity with said IPV6 protocol.
 11. A systemarchitecture for secure communication between first and second entitiesinterconnected via an internet network, said entities respectively beingassociated with first and second data processing systems within a set ofdistributed systems connected to said internet network, said firstsystem operating in client mode and said second system operating inserver mode, said first and second entities being associated withpermanent internet addresses, comprising: at least one applicationincluded in said second system, said at least one application beingaccessible by said first entity; first and second communication protocolstacks respectively included in said first and second systems, a firstapplication interface communication protocol associated with a firstserver of the second system, a second application interfacecommunication protocol associated with a second server of the secondsystem, said second server comprising a web server application interfaceportion configured to convert an application request belonging to thesecond application interface communication protocol to the firstapplication interface communication protocol, each of said first andsecond communication protocol stacks comprising at least one addresslayer using a respective one of said permanent TP addresses and alogical layer for encrypting, in end-to-end mode in conformity with agiven security protocol, data exchanged between said first and secondentities and said second entity hosting a WAP gateway utilizing the webserver application interface adapter and the server included in saidsecond system being configured to communicate, via the web serverapplication interface adapter, directly with a first type of WAPapplication and via a web container and at least one specificapplication program interface with a servlet WAP application, and a WAPgateway function included in the second system to perform a conversionto or from HTTP.
 12. An architecture according to claim 11, wherein saidaddress layer conforms to an IPV6 protocol.
 13. An architectureaccording to claim 12, wherein said internet network conveys datapackets in conformity with an IPV4 protocol, wherein each of said firstand second communication protocol stacks includes a first address layerin the IPV6 protocol and a second address layer in the IPV4 protocolfrom which IPV6-compatible addresses are derived, in order to obtainexchanges in tunnel mode, and wherein said logical layer in each of saidfirst and second communication protocol stacks encrypts data packetsexchanged between said first and second entities.
 14. An architectureaccording to claim 11, wherein said logical layer in each of said firstand second communication protocol stacks conforms to an EPSec protocolin tunnel mode, in order to obtain secure data exchanges between saidinterconnected first and second entities, and wherein said IPSecprotocol is used with an EPS mechanism for identifying informationsources.
 15. An architecture according to claim 11, wherein said firstsystem is connected to a wireless transmission segment, communicationsbetween said first system and said second system take place inconformity with a WAP protocol, said second system includes at least afirst module constituting a WAP server and a second module forming aunified interface between said WAP server and said at least oneapplication, and said WAP server is integrated into said second systemas a web server.
 16. An architecture according to claim 15, wherein saidsecond system includes at least one additional module for two-wayconversion of data packets of structures in conformity with web or WAPprotocols.
 17. An architecture according to claim 15, wherein said firstsystem is a mobile telephone terminal operating in a GSM standard, saidmobile telephone terminal including a WAP type browser constituting aclient and a display screen for displaying pages in WML-type language.18. An architecture according to claim 15, wherein said first system isa mobile telephone terminal operating in a GPRS standard, and whereinsaid mobile telephone includes an Internet browser constituting a clientand a display screen for displaying pages in WML-type language.